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Abstract 

Sealing information means making it publicly available, but with the 
possibility of knowing if it has been read. Commenting on [1], we will 
show that perfect quantum sealing is not possible for perfectly retrievable 
information, due to the possibility of performing a perfect measurement 
without disturbance, even on unknown states. The measurement is a 
collective one, and this makes the protocol of quantum sealing very in- 
teresting as the only example of the power of collective measurements in 
breaking security. 



1 Introduction 

Recently the idea of a quantum seal has been proposed^Q. It was introduced as 
the quantum version of a classical seal. Classical seals is what was used before 
the time of electronic transfer to seal important documents or letters, and it 
consists of a wafer of molten wax into which was pressed the distinctive seal 
of the sender. In the quantum version the seal becomes a way of encoding a 
classical message into quantum states. Ideally the quantum seal should possess 
exactly the same properties as the classical seal, however, as it will be shown 
here, some of the requirements are too restrictive to allow a perfect quantum 
mechanical solution. 

The paper is organized as follows. In Sections 2 and 3 we review the original 
ideas of quantum sealing. In Section 4 we present the impossibility proof for a 
certain class of quantum seals, including the original proposed scheme. Finally, 
we summarize our results, and discuss alternative ideas in Section 5. 



'Permanent address: UCCI.IT, via Olmo 26, 1-23888 Rovagnate, Italy 
^url: www.qubit.it 



1 



2 The sealing protocol 



The classical wax seal has some very particular properties. First of all, it is 
important to realize that the sender of the sealed letter is not committed to the 
content, a new letter can always be written and sealed, and substitutes the pre- 
vious one. The seal serves two purposes: it provides some kind of authentication 
to persons with prior knowledge of the symbol on the seal, and it indicates if 
the envelope has been opened. Notice furthermore that the seal can be broken 
by anyone who wishes to learn the content of the letter. The classical seal does 
not provide security for the content, but a way of knowing if the letter has been 
read. 

The quantum seal as proposed in reference [1] works in the following way: 
Alice, who wants to write a classical message and seal it with a quantum seal, 
encodes one bit of information into a product state of three qubits. Two of 
the qubits, the message qubits, will be in the same state |0) or |1) (of the 
computational (z)-basis), depending on whether Alice wants to encode bit value 
'0' or T'. The third qubit, the control qubit, will at random be prepared in one 
of the four states 0^), \l x ), \0 y ) or \l y ). Notice that these six states together 
form the three mutually unbiased bases in two dimensions. In each triplet of 
qubits the position of the control qubit is for security chosen at random. 

When Alice has written her full message, which is a product state of many 
qubits, she stores it in a quantum memory in a publicly accessible place, and 
announces that the reading basis of the message is the z-basis. The knowledge 
of the message reading basis allows everyone to read the message, because a 
measurement in the z-direction followed by a simple majority vote on the results 
of each triplet will reveal the bit value encoded by Alice. For example, consider 
the following triplet of qubits |0)|0 a )|0), a measurement of each single qubit in 
the z-basis will with equal probability give either '000' or '010', and a majority 
vote will tell the reader that in cither case the bit value encoded by Alice was 
'0'. Notice that Alice can at any moment check if the message has been read. 
This is due to the fact that a measurement in the z-basis will change the state 
of the control qubits, and since Alice knows the position of each control qubit, 
she can check if the state has been changed. 

This far there is nothing which allows intended readers to verify if the mes- 
sage has been read. As in the classical case, this step requires that the reader has 
additional information. This problem is solved by allowing Alice to distribute 
copies of some of the qubits in the message among the intended readers, Bob-1,.. 
Bob-N. Each Bob will be given a small set of qubits in states corresponding to 
specific positions in the sealed message, and he will also be told the position of 
each of the qubits, but what is very important he will not be told the state! 

In order for Bob to check if the message has been read, he can borrow from 
the sealed message the qubits which correspond to the copies Alice has provided 
him with, and on each pair he can perform a so-called SWAP-testjS;- A SWAP- 
test allows to check if two states are identical without any knowledge of the 
state, and moreover, if the states are identical they will not be disturbed by 
the test. This means that the SWAP-test performed on an undisturbed sealed 
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message will not inflict any errors. 

The quantum sealing protocol as given above, contains practically all the 
desired features of a quantum seal: Alice is not committed, she can always 
write a new message and seal it. By revealing the reading basis, she enables the 
whole world to read her message, but by adding control qubits she can verify 
if someone has actually read it. Even more, by giving additional qubits to the 
intended readers they too will be able to check if the message has been read, by 
performing the SWAP-test, without causing disturbance and without learning 
anything about the message. 

3 Reading without breaking the seal: collective 
measurement s 

As was already pointed out in the original paper on quantum seals Q the above 
protocol for quantum seals is only secure against single qubit attacks. Un- 
fortunately it is not secure against collective attacks. Actually, by performing 
collective measurements on each triplet of qubits (corresponding to one encoded 
classical bit), it is possible to learn the encoded bit value without introducing 
any kind of errors. This is due to the fact that the twelve three qubit states 
which encode the value are orthogonal to the twelve three qubit states which 
encode value 1. Indeed all the 0-states lie in a subspace spanned by the follow- 
ing states (in the z-basis), 000), 1 001) , |010) and 1 100), whereas all the 1-states 
lie in the orthogonal subspace spanned by | 111) , 1 110) , 1 101) and 1 01 1) . This 
means that a measurement of the corresponding projectors: 



will distinguish perfectly between the and the 1 values — without disturbing 
the state. This means that a collective measurement of this kind will allow 
the sealed message to be read without disturbance, which means to learn the 
message without introducing errors whence avoid detection. 

Notice that the set of states used to encode the value is not orthogonal, 
and similarly for the value 1, which means that it is impossible to distinguish 
among states within each set with certainty. Indeed, someone performing col- 
lective measurements will be able to read the sealed message without detection, 
because the measurement will reveal the classical bit value encoded in the triplet 
of states, but the measurement will not reveal the quantum state. It is worth 
emphasizing again the collective nature of the measurement, that, as we'll see, 
is a general feature of our impossibility proof. Indeed, the sealing protocol pro- 
vides a unique illustration of the power of collective measurements in breaking 
security. 




|000)(000| + |001)(001| + |010)(010| + |100)(100|, 
| 111) (111 | + |110)(110| + 1 101) <101 1 + |011) (011 1 



(1) 

(2) 
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4 The impossibility proof 



Is it always possible to make perfect discrimination between two sets of states 
without disturbing the measured system, even without a complete knowledge of 
the quantum state? This is essentially the problem underlying the possibility 
of achieving a secure quantum protocol to seal classical information. In fact, 
in order to make information publicly available, one needs to disclose publicly 
the procedure of the quantum measurement which perfectly discriminates the 
encoded values of the logical bit. On the other hand, the possibility of knowing 
that the seal has been opened needs a signature left on the quantum system 
signaling that the system has been measured, namely the measurement must 
produce a "disturbance" on the system. 

The general scenario of the quantum protocol for sealing classical information 
is the following. We know that the classical bit is encoded in two families of 
states, here denoted by 

6 = 0,1, (3) 

where TC is the global Hilbert space on which the logical bit is encoded, and 
A G A is a running parameter labeling the states of the family. The fact that 
the classical information is publicly available means that there is an openly 
known POVM {P< 6 )} on H namely 

p( fe ) > 0, b = 0, 1, p(°'+pW=i w . (4) 

If we consider the situation of no reading-error for the classical information, 
then we must have 

(^\P^\^)=6 W , VAgA. (5) 

Notice that, since p( b ) is positive, the square root of the operator is well defined 
and Eq. (JSJ is equivalent to 

(^flv/p^/P^lvf) = Ilv/P^ff = <W, VA G A, (6) 

namely 

V X b ')|V,W) = 0, for b ^ b', VA G A, (7) 
Upon defining the two Hilbert subspaces 

W<» = Span^f), AG A}, (8) 

Eq. (JSJ) tells us that the POVM element P^ - 1 must have support orthogonal 
to TiS x \ and must have support orthogonal to TiS Q >. This also implies 
that Ti^ is orthogonal to "HS 1 ^ , since, otherwise, there would exist a common 
subspace whose elements, e. g. 10'°') = \<p' 1 ') would give 

(^Wl.pC 1 )!^ )} = ^(^I^XV'ri^^l^X^I^) = o, (9) 

A, A' 
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and analogously {f^ IP*- -* = 0. But, since \4>^) — l^ 1 ') one also has that 
((p<n\pM\(pW) = (and <0(°> |P<°) |^°)) = 0), namely (pW |P<°) + P« l^ 1 )} = 
0, which contradicts completeness. In this way we have proved that is 
orthogonal to Ti.^, namely one has the Hilbert space direct-sum decomposition 

H = H {0) ®H (1) . (10) 

On the other hand the direct-sum decomposition (|l(Jfl implies that the two 
POVM elements must be orthogonal projectors, since they have orthogonal 
support and are complementary. If the two Hilbert subspaces 7^°' and Ti^ 
are not isomorphic, then we can always extend the smallest one in such a way 
to make them so. Then, without loss of generality, we can write the (extended) 
Hilbert space H as follows 

H = H {a) ©H (1) ~H (0) ®C 2 . (11) 

In the logical-bit tensor product decomposition l|ll|)- the two families of states 
rewrite as follows 

Hi b) ) = Hx)®\b) eH, 6 = 0,1, (12) 
and the POVM is expressed as follows 

pW=/ w ®|6>(6|. (13) 
The POVM (|13(l can be achieved by the Luders measurement 

p(b) p p(b) 



Tr[PWpPW] ' 



P {b)=Tv[P^pP^}, (14) 



where p(b) denotes the probability of outcome b = 0, 1. Clearly the measurement 
l|14|) allows to distinguish between the logical bits without disturbing the two 
families of states in Eq. JHJl. 

In the case of the protocol above we have 

H (0} = Span{|000), |001), |010), |100)}, (15) 
H (1} = Span{|lll),|110),|101),|011)}, (16) 

and the embedding l|ll|l can be achieved, for example by the unitary transfor- 
mation which just exchanges only the two states 1 1 1) and 1 100) , with the logical 
qubit played by the first physical one. 



5 Discussion and future developments 

We have shown that perfect quantum sealing of classical information is not 
possible if the information is perfectly retrievable, namely the seal is insecure 
when classical information is encoded into quantum states and classical error 
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correction codes are used to ensure error free reading of the sealed message. 
This is due to the fact that the resulting quantum states representing the logical 
bit value (in the above example three qubit states) become orthogonal, hence 
the quantum seal can be broken by a collective measurement. We emphasize 
that the collective measurement can only distinguish between the logical bit 
values, whereas the specific state remains unknown and undisturbed. Quantum 
seals are a concrete example of the power of collective measurements in breaking 
security. 

We want to point out that sealing classical information by means of classical 
error correcting codes into quantum states is not the only way of implementing 
to idea of quantum seals. Chau[3] has presented a version of quantum seals 
which seals quantum information into quantum states by means of entangle- 
ment and quantum error correcting codes. Unfortunately the protocol works 
for one (or few) authorized verifier and not as was originally proposed, that all 
intended readers can verify that the seal is still intact. More recently, Singh 
and Srikanth^] have proposed to use quantum seals in combination with secret 
sharing, so that it is not the message which is sealed, but each share. In prin- 
ciple this allows for sealing both classical and quantum information. By sealing 
the shares and not the message they can avoid the problem which we have been 
addressing in this paper. 

Our impossibility proof forbids perfect security of sealing for perfect retriev- 
ability of classical information. However, it is in principle possible to restore 
security when the information cannot be recovered perfectly 5 . 
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